[wp-trac] Re: [WordPress Trac] #2425: Pseudo-Cron
WordPress Trac
wp-trac at lists.automattic.com
Wed Mar 8 01:03:40 GMT 2006
#2425: Pseudo-Cron
----------------------------+-----------------------------------------------
Id: 2425 | Status: new
Component: Administration | Modified: Wed Mar 8 01:03:40 2006
Severity: normal | Milestone: 2.1
Priority: normal | Version: 2.0.1
Owner: ryan | Reporter: ryan
----------------------------+-----------------------------------------------
Comment (by masquerade):
With the NST about, this may show up as a vulnerability, I can see it now:
========== WordPress 2.1 Remote Cron Exectuion ==========
Severity: CRITICAL!!!!1
WordPress 2.1 allow any users to run wp-cron.php which may run scheduled
cron jobs on remote server.
this vuln has a few problems though
[1] The cron jobs have to be scheduled by an admin user
If you are an admin user, you can enable cron jobs that could
potentially damage your install or users!!
== Solution ==
wordpress/ $ rm wp-cron.php
--
Ticket URL: <http://trac.wordpress.org/ticket/2425>
WordPress Trac <http://wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list